RPM

Bug #633646
Comment #2

Comment 2 for bug 633646

Revision history for this message

In Red Hat Bugzilla #623466, Steve (steve-redhat-bugs) wrote on 2010-08-11:

Summary:

SELinux is preventing /usr/sbin/nscd access to a leaked /dev/null file
descriptor.

Detailed Description:

[nscd has a permissive type (nscd_t). This access was not denied.]

SELinux denied access requested by the nscd command. It looks like this is
either a leaked descriptor or nscd output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /dev/null. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Raw Audit Messages

node=(removed) type=AVC msg=audit(1281218473.990:210): avc: denied { write } for pid=4902 comm="nscd" path="/dev/null" dev=sda7 ino=169346 scontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1281218473.990:210): arch=40000003 syscall=11 success=yes exit=0 a0=80598b3 a1=bffb77b0 a2=bffb77c4 a3=bffb7904 items=0 ppid=4898 pid=4902 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 key=(null)

Hash String generated from leaks,nscd,nscd_t,device_t,file,write
audit2allow suggests:

#============= nscd_t ==============
allow nscd_t device_t:file write;

Summary:

SELinux is preventing /usr/sbin/nscd access to a leaked /dev/null file
descriptor.

Detailed Description:

[nscd has a permissive type (nscd_t). This access was not denied.]

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:nscd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:device_t:s0
Target Objects                /dev/null [ file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nscd-2.12-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-41.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.2.4.fc13.i686.PAE #1 SMP
                              Fri Jul 23 17:21:06 UTC 2010 i686 i686
Alert Count                   32
First Seen                    Sat 07 Aug 2010 02:59:13 PM PDT
Last Seen                     Sat 07 Aug 2010 03:01:13 PM PDT
Local ID                      ab9bee59-e966-4886-a1ad-7c3646e7cfbe
Line Numbers

Raw Audit Messages

node=(removed) type=AVC msg=audit(1281218473.990:210): avc:  denied  { write } for  pid=4902 comm="nscd" path="/dev/null" dev=sda7 ino=169346 scontext=unconfined_u:system_r:nscd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file

Hash String generated from  leaks,nscd,nscd_t,device_t,file,write
audit2allow suggests:

#============= nscd_t ==============
allow nscd_t device_t:file write;